Your message dated Mon, 11 Jul 2022 09:49:24 +0200
with message-id
<cad+gyvyj1chr0bljiqswzdvrcszdm4n8xzdbzodersxqxmd...@mail.gmail.com>
and subject line Re: Bug#1014710: gegl: CVE-2018-10111 CVE-2018-10112
has caused the Debian Bug report #1014710,
regarding gegl: CVE-2018-10111 CVE-2018-10112
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014710: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014710
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gegl
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for gegl.
CVE-2018-10111[0]:
| An issue was discovered in GEGL through 0.3.32. The render_rectangle
| function in process/gegl-processor.c has unbounded memory allocation,
| leading to a denial of service (application crash) upon allocation
| failure.
https://bugzilla.gnome.org/show_bug.cgi?id=795249
https://gitlab.gnome.org/GNOME/gegl/issues/65
POC https://github.com/xiaoqx/pocs/tree/master/gegl#2-gegl-dos-1
CVE-2018-10112[1]:
| An issue was discovered in GEGL through 0.3.32. The
| gegl_tile_backend_swap_constructed function in buffer/gegl-tile-
| backend-swap.c allows remote attackers to cause a denial of service
| (write access violation) or possibly have unspecified other impact via
| a malformed PNG file that is mishandled during a call to the
| babl_format_get_bytes_per_pixel function in babl-format.c in babl
| 0.1.46.
https://bugzilla.gnome.org/show_bug.cgi?id=795249
https://gitlab.gnome.org/GNOME/gegl/issues/65
https://github.com/xiaoqx/pocs/tree/master/gegl#4-gegl-outbound-write-2
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10111
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10111
[1] https://security-tracker.debian.org/tracker/CVE-2018-10112
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10112
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
I'm closing since this is fixed in Stable and more recent and it's
listed as "no DSA, ignored" at
https://security-tracker.debian.org/tracker/source-package/gegl
Thank you,
Jeremy Bicha
--- End Message ---
